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The Information Commissioner’s response to the Financial Conduct 
Authority’s call for input on the concept of a cross-sector sandbox 


The Information Commissioner’s Office (ICO) has responsibility for promoting and 
enforcing the General Data Protection Regulation (GDPR), the Data Protection Act 
2018 (DPA18), the Freedom of Information Act 2000, the Environmental 
Information Regulations 2004 and the Privacy and Electronic Communications 
Regulations 2003 (PECR), amongst others. We are independent from government 
and uphold information rights in the public interest, promoting openness by 
public bodies and data privacy for individuals. We do this by providing guidance 
to individuals and organisations, and taking appropriate action where the law is 
broken. 


The ICO welcomes the opportunity to respond to this call for input. While the 
Information Commissioner recognises the value of innovation and the benefits is 
can bring to the UK economy, technology is becoming increasingly complex. The 
application of new products and concepts is leading to scenarios in which a cross- 
regulatory approach may be necessary to ensure that the impact of technology 
on individuals’ rights is properly understood and overseen. 


The ICO has recently launched its own regulatory sandbox, helping companies 
and public bodies deliver new products and services of real benefit to the public 
with assurance that they have tackled built-in data protection at the outset. It is 
in its beta phase, with a first cohort of 10 projects being selected to participate 
from across a broad range of sectors. The products and services involved met the 
selection criteria of being genuinely innovative and viable and with the potential 
for delivering real benefit to the UK public. 


Within the last 12 months the ICO has also formed a discrete Innovation 
department, focusing on novel developments in the use of personal data. Areas 
of focus include data processing requiring data privacy impact assessments 
(DPIAs), research into Artificial Intelligence (AI), and privacy within social media 
and other digital products. 


The ICO has also received an award from the BEIS Regulators’ Pioneer Fund 
(RPF) to establish the Regulators’ Business Innovation and Privacy Hub (‘the 
Hub’), which works in partnership with other regulators to provide businesses 
with expert support in information privacy and data protection. Sitting within the 
ICO’s Innovation department, a key element of the Hub’s work is to promote the 
benefits of taking a ‘data protection by design’ approach. The original scope of 
working with other regulators in receipt of an RPF grant has since broadened to 
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include any regulator or similar organisation which offers innovation services or a 
sandbox function. 


The Hub is about to begin work with the FCA’s sandbox and Direct Support 
functions, and supported the FCA TechSprint on data sharing and financial crime 
which took place in July 2019. 


In December 2018 the Hub responded to questions from the FCA similar to those 
posed by this call for input. At that time the team was in its infancy and, as with 

the ICO’s sandbox, was not yet working with innovators. The following response 

includes some of the answers given in 2018. 


We believe that sandboxes are powerful branding tools for regulators, and can 
act as a ‘shopfront’ for an innovation agenda. There is value in having a service 
which focuses joint attention on regulation and innovation and encourages 
detailed working between regulators and businesses. Having a ‘no wrong front 
door’ policy, in which a business can approach any regulator and be directed to 
the correct place, would mean that businesses could receive information and 
direction more efficiently. 


A cross-sector sandbox could also prevent regulatory ‘silos’, through a system 
where approaching one regulator raises awareness of needs with another. This 
could lead to regulators having consistent understanding of emerging and cross- 
market trends, and uncovering hidden assumptions about each other’s work. 


The Hub is already working with the FCA on a practical basis to ensure that data 
protection considerations are embedded at an early stage of customer experience 
and interface development, providing input at the recent FCA Techsprint event. 
We believe that cross-regulatory oversight at an earlier stage in the roll-out of 
the Google DeepMind Streams app by the Royal Free NHS Foundation Trust may 
have resulted in further clarity on the interplay between the duty of confidence 
and the data protection framework in this case. 


We recently attended the FCA’s roundtable event on the feasibility of a cross- 
sector sandbox and found it very valuable to engage with other interested 
parties. We note the comments at that event that the ICO is a ‘true cross-sector 
regulator’ because of its regulatory function of overseeing legislation which cuts 
across sector boundaries. There is significant value in the ICO being involved in 
any cross-sectoral work which involves the processing of personal data, anda 
strong argument that data protection considerations must be highlighted to 
businesses and individuals seeking to innovate. 
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The GDPR already requires that an organisation consults the ICO where a data 
protection impact assessment indicates that processing data, ‘would result in a 
high risk in the absence of measures taken by the controller to mitigate the risk’. 
Promotion of this process at an early stage by multiple regulators would assist us 
in ensuring that data protection requirements will be taken into account by the 
businesses involved, and that other regulators are aware of those requirements 
where personal data is a major factor in an innovative product or service. 


On the basis of the reasons outlined above, we feel that there is true value in 
formalised cross-regulatory working. The Hub in particular is seeking to further 
this through its current work with the FCA and other regulators. 


We believe that significant consideration needs to be given to the best way to 
deliver a such a service. In order to determine whether a sandbox is the best 
mechanism to achieve that cooperation, we suggest that the following questions 
be addressed: 


e What role would individual regulators play in a cross-sector sandbox? 
Would a lead regulator be identified? Will the definition of ‘regulator’ 
include organisations with similar roles, such as Ombudsmen? How will 
regulators’ independence be maintained in such a scenario? 


e What does the FCA see as being the primary purpose of such a sandbox? 
The primary function of the ICO’s sandbox is to assist our regulatory 
function and facilitate compliance with the legislation we oversee, rather 
than assisting products to market. Whilst we recognise that there may 
ultimately be business benefits to participants, we are clear that our 
primary purpose is to help achieve compliance of innovative uses of 
personal data in the public interest - how will the balance of these 
purposes, and the different kinds of purposes that other regulators may 
have, be addressed in a single sandbox? 


e How will eligibility for applications will be established between regulators? 
Who will oversee the applications process? 


e How will what is ‘innovative enough’ be determined across regulators? 


e How will regulatory priorities and risk appetites be determined and aligned? 
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e How will a sandbox be staffed in the face of competing priorities and the 
level of complexity and time involved in establishing legal mechanisms and 
implementing appropriate paperwork, legal documentation and terms and 
conditions? 


e How will the order in which advice should be given by different regulators 
be determined? 


e How will the completion of any pre-requirements (such as DPIAs) will be 
ensured, to avoid the ICO needing to provide basic advice? 


e How will individuals’ rights will be protected across the interaction of 
multiple pieces of legislation? 


e How will regulators’ own interests be preserved? For example, in those 
cases where one regulator may choose not to support a firm with a poor 
compliance history or where there is a clear conflict of interests? 


We would also like to draw attention to the other options that could be pursued, 
either as an alternative or additional component of the proposed cross-sector 
sandbox model. For example, the Hub is currently considering the benefits of a 
number of cross-regulatory methods to provide advice and support. These 
include the development of linked website areas for innovators (ie with 
signposting to other relevant regulators’ guidance), publication of joint 
communications, and continued provision of support to events such as the FCA 
TechSprint. 


This ‘Hub model’ of creating a gateway between regulatory sandboxes and the 
ICO is proving effective and practical, particularly in relation to cross-regulatory 
collaboration and for businesses where a sandbox is not available in their sector 
or the business does not meet eligibility criteria. 


We have also considered the possibility of developing a gateway or triage 
system, where a business would be able to approach a virtual team which would 
decide which regulators would be able to give advice, or suggest applications to a 
specific sandbox. A model such as this could bring the benefits of cross- 
regulatory awareness and signposting without any of the complexities we have 
outlined above. 
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Proposed next steps 


Sharing good practice and lessons learned is the cornerstone of our innovation 
work and we believe that forming cross-regulatory cooperation networks should 
be prioritised before any potentially complex mechanisms are put in place. Both 
creating and joining such networks is one of our own regulatory priorities, 
resulting in the ICO’s membership of the UK Regulators’ Network (UKRN), the 
BEIS Regulators’ Forum, and the creation of the Hub. 


The ICO is committed to supporting innovation through the provision of relevant 


advice and the use of cross-regulatory collaboration, and would welcome further 
discussion on any of the points raised within this response. 
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